DoS Assaults Underway Against Spam Blocklists 797
Hiawatha writes "The same sort of denial of service attacks that drove spam blocklist Osirusoft off the Internet are battering many other blocklist services as well." Apparently spammers aren't going to sit by and let people try to ignore their unwanted pitches.
Karma Whore? (Score:1, Informative)
Re:Why does he think it's spammers? (Score:5, Informative)
Here's a great blow by blow report [fastmail.fm] of one such incident by Jeremy Howard, one of the directors of the company, as well as some reasons the list doesn't work.
Quite a few actually. (Score:4, Informative)
And depending on just Bayesian filtering is putting all of your eggs in one basket, IMHO (though it is a pretty darn good basket). There are many spammers out there trying to poison Bayes databases by adding random dictonary words to their HTML based emails.
Re:ever tried to get off SPEWS? (Score:5, Informative)
They start with the IP, then list class C, then widen the number of class Cs. It takes a fucking lot to get expanded. There is less than 1% of the internet listed by SPEWS (after removing IANA reserved space)
I have Brazil, Argentina, Korea and China tagged on my server. Number of false positives: 0. YMMV.
Re:Why does he think it's spammers? (Score:4, Informative)
I will tell you precisely why, and these points are almost never brought up by the usual SPEWWS critics:
1) Those listing criteria are not publicly specified - only a small group of network admins, and readers of NANAE, who are familiar with SPEWS understand their method. The vast majority of admins using these blacklists are people who are just desperate to stop spam so they install tool XYZ without realizing the implications. SPEWS feeds on this desperation to get their foot in the door - it's not until someone finds that a ton of their legitimate mail is being blocked due to deliberate "collateral damage" that they realize they need to ask their administrator to stop using SPEWS (or whitelist the hapless victim with whom they're trying to communicate).
2) SPEWS keeps logs which are not deailed and often downright inaccurate.
3) SPEWS does not provide a way for spam filters to differentiate between real spammers and collateral damage. It's all listed the same.
There is a reason why civilized countries have laws against libel/slander, and SPEWS walks a *very* thin line.
Re:Whitelisting (Score:4, Informative)
Whitelist: allow everything in from anyone on that list
IFF doesn't meet above criteria, filter it.
So, it doesn't prevent anyone from contacting you the first time, unleass their email says something like "bigger penis breast enlarger xxx sex goatse.cx tubgirl"
Re:Client-side blocking (Score:2, Informative)
Re:Why does he think it's spammers? (Score:5, Informative)
Re:Why does he think it's spammers? (Score:5, Informative)
These blocklists are also very effective in keeping me from sending email from my T1 from Lightyear Communications.
I'm sure there are a million other guys out there with a thousand dollar a month T1 that is completely worthless for emailing customers thanks to these blocklists.
Go ahead and shout "spam-haus" and tell me I'm doing business with spammers or companies that support spammers, or in this case, our company's T1 is provided by a company (Lightyear) that gets their upstream from a company (UUNet), that supports spammers.
I guess by associating with spammers through about 4 levels of indirection, we are guilty and need to be punished.
Spam-Nazi apologists are worse than Spam-Nazis themselves. I was a Spam-Nazi myself until suddenly the punishment was applied to me, and there was nothing I could do about it.
I hope SPEWS is pinned by packetting until they shut down.
Re:ever tried to get off SPEWS? (Score:1, Informative)
Blacklists and Spam (Score:4, Informative)
If I did not use SOME rbl though, I would be sending out 6000 spam blocking notification messages a day mostly to people who aren't there or are not the real sender. Since I block things prior to getting through postfix, I am able to send them back a clear informative message on the blockage, DURING the transmission.
In any case, I have heard of lots of bad stuff about SPEWS and all but my experience with spamhaus and ordb are that both help block alot of mail, and are responsible with their efforts.
In any case, it is my business (and my company's business of course) how we handle our incoming stream. If we choose to use a blacklist that is our right. As it waspointed out, we could always create our own (It is pretty easy to create a dnsbased one even to share with a few friends or whatnot)...
No one is going to be able to stop ALL blacklists, but by attacking the large centralized ones, it does not IMPROVE the ability to get taken off an RBL. It just makes it harder really.
Re:ever tried to get off SPEWS? (Score:5, Informative)
Yes, some may say "find another ISP", but that's not always easy; contracts may make that impossible for many months and the ISP may otherwise be fine as is.
If they block anything, they should only block the IP's that cause the problem, not large netblocks.
Re:Why does he think it's spammers? (Score:4, Informative)
The SPEWS FAQ (still available at a number of mirors) very clearly spells out the criteria for SPEWS listings. You are either willfully ignorant or lying to make such a claim.
SPEWS keeps logs which are not deailed and often downright inaccurate.
Specific reference, please.
SPEWS does not provide a way for spam filters to differentiate between real spammers and collateral damage. It's all listed the same.
SPEWS makes it very clear that their listing is of IP addresses owned by spammer-friendly ISPs, not just spammers. If an admin uses SPEWS without understanding what it will be filtering,that admin should be fired.
Re:Quite a few actually. (Score:3, Informative)
Re:Why does he think it's spammers? (Score:4, Informative)
In the mean time, feel free to dig through these [google.com].
here's an article... (Score:2, Informative)
Am I the only one who did not have this problem? (Score:5, Informative)
The volume of spam is sufficient without removing the blacklists.
Re:Why does he think it's spammers? (Score:2, Informative)
It's not secret information that sometimes folks get put on the list because of an accidental mistake in their setup that they soon correct.
The question is if it is worth it to you (and your users) to have this potential loss of legitimate mail in order to reduce the ammount of spam you are recieving. To some it is, to some it's not, some even set up two different mail servers, one blocking the other not so folks can use different accounts on each if they wish.
Putting someone on the list does not say that company/isp whatever, is a spammer, only that some spam was reported at some point to come from that IP or IP range. It's up to the individual running the mail server to determine if it is a greater benifit or not to use the list. No one is forced to use the list. If the users don't like it they can either get the mail admin to remove the block, or get another mail account on another server that doesn't block. It's not like email accounts are exactly tough to come by these days.
Re:Why does he think it's spammers? (Score:5, Informative)
The problem is that collective IP blacklisting is so mistake-prone that it's just unacceptable. I had a server, one that hosted e-mail for several domains (none of which do anything remotely spam-like), and somebody forged the IP in a header, and the server got into some darned blacklist based on three anonymous "reports". Thankfully, most people are smart enough to use better anti-spam measures such as keyword or header filtering, which don't cede control to external mobs.
On a corporate server, you'd be nuts to use one of those blacklists; at the very least, you want to be able to whitelist your important business partners. Perhaps the DDOS attacks are from some disgruntled syadmin who got canned when an important e-mail to the CEO mistakenly bounced.
Brazil (Score:3, Informative)
Yes, many have the entirety of Brazil blocked. And for good reason, too. Doing so cuts out a huge chunk of spam and reduces the costs on the receiving mail servers and networks noticeably. It works.
The problem is that most of Brazil is served by one big telco monopoly that is operated entirely incompetently. That doesn't necessarily mean each person in that company is incompetent, but those that are not are surely aware of their inability to do the right thing and stop the spam.
Some people even blocked all of 200/8.
Now I don't actually agree with the actions those people did. What I did was scan those networks for patterns and figured out specific domains to block. I'm getting most of the effectiveness without the false positives. I do have almost all the cable modem and dynamic DSL lines blocked as best as I can.
But the real goal is to get spammers disconnected so they can't even send a SYN packet, much less make an SMTP connection. You have a better idea that meets those goals that what is being done now? If so, post it.
This Extremism Needs to Stop (Score:2, Informative)
But there are some mature Internet users who do not believe the way to solving things is running a DDoS against a party or blocking subnets carelessly. I do not know how many are on
There is no panacea for spam. Sorry.
It is very unresponsible of any maintainer of a blacklist to target large IP blocks. There is no possible way to maintain such a list accurately without targeting innocent parties. Collateral damage is understandable, but it should also be looked down upon and avoided at great cost, not accepted. Imagine IPv6 blacklists.
Admins need to take the responsibility to make use of blacklists which are strict in the conservative sense (i.e. very specific). We can all understand this is not as effective as blacklisting the entire Internet.
This is really ridiculous and childish, except with adult repercussions. On the one hand, we have virtual fascism with blacklists. On the other, we have DDoS attacks to end them. And what does this do for the users? Nothing. More bandwidth wasted, more time diverted from the real issue, and disruptive communications.
The Internet is not a playground anymore. Some people actually use it for business, important communication, etc. We need to get serious, not extreme.
Re:Why does he think it's spammers? (Score:3, Informative)
Your network is probably still providing some service to a spammer in some way. The requirement of SPEWS, other than for first time spammers (i.e. this means any services to any repeat spammers), is that absolutely every service be terminated with no exceptions. This not only includes IP access through which they may spam, but also web hosting, DNS hosting, phone service, office space rental, ... everything ... period. Now if you really have done all that, and posted a description of exactly everything that was terminated (don't just say you did, admit to what services you provided and when that service was terminated), it should get read by one of the SPEWS team, who can check the database.
But you do need to realize that SPEWS does have a punitive element. If you kept providing services to a known spammer for N months, expect SPEWS to delay your deletion for N months.
Also, many people have mis-interpreted the SPEWS listings. Level 1 means listed, and level 2 means probationary. If you are on probation, it is because you delayed long enough to get your network listed (you should have disconnected the spammer before that happened). Level 2 is not listing to be blocked. A few networks choose to block based on level 2 for extended punitive purposes. You know who they are (from your mail server logs), so complain to them for mis-using SPEWS.
Provide some specifics, like which network this is, or which SPEWS record number, and I can look up some of it (my archives of the public data from SPEWS cover 7 July 2002 to 15 August 2003).
Re:Why does he think it's spammers? (Score:4, Informative)
Not quite correct. They decide to list, and delist, people based on their criteria. They decide how you will contact them when you get listed - or decide to make it absolutely impossible to reliably contact them, and decide to mock you/nitpick the minutae of your phrasing when you fall back on posting to nanae.
And many of them decide, quite clearly, to be assholes.
Re:ever tried to get off SPEWS? (Score:2, Informative)
After cleaning up his act (he spent a couple of weeks doing it), spews removed its range, and even in a later date, when someone asked about a provider in Brazil that wasn't a spamhaus, they got mentioned as a "good example" in nanae.
The whole point is, spews is bad, but the alternative is worse, and yes, they do remove listings, if the proper actions are taken.
DonBlackholes (Score:2, Informative)
Re:ever tried to get off SPEWS? (Score:2, Informative)
Anyway, blacklisting is a hard bussiness to be in. I know THE blacklist guy in Argentina, its server was in our university datacenter... However he was to move out, as unfortunately the university can't stand three days spans without mails or any kind of remote access.